[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-gnuzilla] Spectre mitigation for IceCat

From: Antonio Trande
Subject: Re: [Bug-gnuzilla] Spectre mitigation for IceCat
Date: Sun, 7 Jan 2018 11:44:11 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0

On 07/01/2018 04:46, Mark H Weaver wrote:
> FYI, Mozilla has included two mitigations for Spectre in Firefox 57.0.4.
> They are described here:
> https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
>   https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/
> The blog post notes that one of the mitigations, disabling
> SharedArrayBuffer, is not applicable to Firefox 52 ESR because that
> version doesn't support SharedArrayBuffer.
> The other mitigation reduces the resolution of performance.now() to 20
> microseconds.  This change is included in Firefox 57.0.4, and will
> eventually be included in Firefox 52.6 ESR due to be released on Jan 23.
> I didn't want to wait that long, so I backported this second mitigation
> to GNU IceCat, which was quite easy.  It's now included in the IceCat
> package in GNU Guix, along with 100 other fixes cherry-picked from
> upstream.  I've attached the patch to this email in case it is of
> interest.
> I also recommend that you install NoScript and avoid running Javascript
> code from the network whenever you can avoid it.  Even with this
> mitigation applied, there are probably other ways to exploit these flaws
> using Javascript.
>      Mark

Thank you Mark.

Antonio Trande
Fedora Project
mailto 'sagitter at fedoraproject dot org'
GPG key: 0x5E212EE1D35568BE
GPG key server: https://keys.fedoraproject.org/

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]